Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2446
Views
11
Helpful
5
Replies

Linking two SG300 in a PVLAN context.

Go to solution
oryva0001
Level 1
Level 1

‎10-20-2014 11:29 AM

We are owners of two SG300-28, upgraded to 1.4.0.88 firmware.

We want to use them in a PVLAN/communities setup, connected to a router.

On the first switch I can verify that I have independant communities, which have good external connection through the promiscuous port.

Now, I have yet to link the second switch (which has the same PVLAN and communities IDs) to the first one, in order to share the communities and the promiscuous port.

But what have to be the setup on each port of the link between the switches ? 

I tried a lot of things (even a simple trunk without VLANS, as told somewhere...)  but cannot a working setup..

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Brandon Svec
Level 7
Level 7
In response to oryva0001

‎10-21-2014 08:15 PM

Thanks for coming back to update this.  It seems to me you don't need private VLANs for anything though.  Maybe I don't understand private VLANs correctly, but I don't understand why they are needed for your stated requirements that seem to describe 'regular' VLANs: 

For all theses stations you want these constraints :

  • All stations can access to the stations of their department, but can't see stations of other depatments.
  • All station can access to the Internet.
-- please remember to rate and mark answered helpful posts --

View solution in original post

5 Replies 5

Go to solution
oryva0001
Level 1
Level 1

‎10-21-2014 08:15 PM

OK, for the record, I reply to myself with a working setup .

 

GOALS :

Imagine you have three departments (Research, Production, Sales) with stations on two SG300-28 switches, some stations of a same department are located on different switches :

 

Research" department

  2 stations on switch 1

Production department

  2 stations on switch 1
  1 station on switch 2 

Sales departmant

  2 stations on switch 2

 

For all theses stations you want these constraints :

  • All stations can access to the stations of their department, but can't see stations of other depatments.
  • All station can access to the Internet.

 

Switchs Setup :

To manage that, you will have to create 4 VLANS

  • One Primary VLAN, numbered 10
  • Three communities VLANs, numbered 100, 200, 300

In addition, to the port used to connect the stations, you will have tu use other ports on the switches :

Switch1 (IP 192.168.1.10):

  • Port 27 : router (used for internet access / DHCP server / switches administration by web/ssh...)
  • Port 28 : link to switch2

Switch2 (IP 192.168.1.11):

  • Port 27 : link to switch1

In order to anticipate future changes and network extensions, it is better to duplicate all VLANs in the two switches (anyway, it seems to be mandatory according to some cisco texts).

 

 

For all of that, you can use the following setup (VLANs relatives lines only) :

 

Switch 1:

vlan database
vlan 10,100,200,300
exit
interface vlan 10
private-vlan primary
exit
interface range vlan 100,vlan200,vlan300
private-vlan community
exit
!
interface vlan 10
 name PrimaryVlan1  
 ip address 192.168.1.10 255.255.255.0   
 no ip address dhcp
 private-vlan association add 100,200,300
!
interface vlan 100
 name "Research"  
!
interface vlan 200
 name "Production"
!
interface vlan 300
 name "Sales"
!interface gigabitethernet1
 description "Research - Station 1"
 switchport mode private-vlan host 
 switchport private-vlan host-association 10 100
!
interface gigabitethernet2
 description "Research - Station 2"
 switchport mode private-vlan host 
 switchport private-vlan host-association 10 100
!
interface gigabitethernet11
 description "Production - Station 1"
 switchport mode private-vlan host   
 switchport private-vlan host-association 10 200
!
interface gigabitethernet12
 description "Production - Station 2"
 switchport mode private-vlan host   
 switchport private-vlan host-association 10 200
!
interface gigabitethernet27
 description "Link to Router"
 switchport mode private-vlan promiscuous
 switchport private-vlan mapping 10 add 100,200,300
!
interface gigabitethernet28
 description "Link to switch 2"
 switchport trunk allowed vlan add 100,200,300
 switchport trunk native vlan 10 
!
exit

 

Switch 2 :

vlan database
vlan 10,100,200,300
exit
interface vlan 10   
private-vlan primary
exit
interface range vlan 100,vlan200,vlan300
private-vlan community
exit
!
interface vlan 10  
 name PrimaryVlan1 
 ip address 192.168.1.11 255.255.255.0
 no ip address dhcp 
 private-vlan association add 100,200,300
!
interface vlan 100
 name "Research"
!
interface vlan 200
 name "Production"
!
interface vlan 300
 name "Sales"
!interface gigabitethernet1
 description "Production - Station 3"
 switchport mode private-vlan host   
 switchport private-vlan host-association 10 200
!
interface gigabitethernet11
 description "Sales - Station 1"
 switchport mode private-vlan host
 switchport private-vlan host-association 10 300
!
interface gigabitethernet12
 description "Sales - Station 2"
 switchport mode private-vlan host
 switchport private-vlan host-association 10 300
!
interface gigabitethernet27
 description "Link to switch 1"
 switchport trunk allowed vlan add 100,200,300
 switchport trunk native vlan 10 
!
exit
 

 

 

 

Go to solution
Brandon Svec
Level 7
Level 7
In response to oryva0001

‎10-21-2014 08:15 PM

Thanks for coming back to update this.  It seems to me you don't need private VLANs for anything though.  Maybe I don't understand private VLANs correctly, but I don't understand why they are needed for your stated requirements that seem to describe 'regular' VLANs: 

For all theses stations you want these constraints :

  • All stations can access to the stations of their department, but can't see stations of other depatments.
  • All station can access to the Internet.
-- please remember to rate and mark answered helpful posts --

Go to solution
oryva0001
Level 1
Level 1
In response to Brandon Svec

‎10-22-2014 04:51 AM

I think I should have added in the constraints list that I wanted to stay in a Layer 2 mode, with only one subnet.

And with this mode (perhaps I missed something anyway) I had no VLANs separation when I tested.

I am far to be a Cisco expert, but I think that (unlike some other switches like the Netgear FSM726 our SG300s replaces) you have regular VLANs separation only when you are working in Layer 3 level (where your VLANS use different subnets). Private Vlans permit to do the same thing in Layer 2 context. 

 

Go to solution
Brandon Svec
Level 7
Level 7
In response to oryva0001

‎10-22-2014 08:29 AM

I see.  Yes, having all users in the same subnet and needing VLAN separation like this seems a reasonable application for private VLAN.  Using regular VLANs you would have needed to give each group a unique subnet and route between them as desired and create ACL as desired to block access where wanted.

-- please remember to rate and mark answered helpful posts --
0 Helpful

Go to solution
wladyslaw1951
Level 1
Level 1
In response to oryva0001

‎04-08-2015 01:53 AM

Hi,

you wrote: "In addition, to the port used to connect the stations, you will have tu use other ports on the switches"

Did you ment it is mandatory to use different port numbers for trunk (link beetwen switches)?

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents